Re: Use XP Firewall with Router & Firewall?
From: Gerald Vogt (vogt_at_spamcop.net)
Date: Wed, 09 Mar 2005 12:07:38 +0900
> "There is no way to block outbound traffic at the XP level" does not mean that
> there is "no way to block outbound traffic". Most any software firewall can
> easily cut off all internet access, and go from there. Even firewalls like
No, they can't unless you cut the cable. If the software firewall cuts
all internet access and it can reenable it then there is a way for
malware to send packets out. If you browse and use your internet
explorer an application can tunnel information through your browser for
> Zonealarm raise an alarm if there is an attempt to shut them down. The
Well, the alarm is problem a window where it says: "click here to
continue". So all the malware has to do is to send a mouse click into
the window and it is gone before you even notice it on the screen.
> effectiveness of various firewalls gets a lot of debate; the effectiveness of
> the XP firewall to block outbound traffic is zero-it doesn't attempt it. And
Yep. A good idea. It does what it promises. Not like any of the PFWs
which promise much more than they can do...
> there are plenty of people reporting that they have caught worms and trojans
> using their firewall-certainly not all of them, though. If you are advocating
Using their PFW. Don't forget the additional security vulnerablities of
the PFWs itself which have have been exploited in the past.
> smarter users, I agree, but there are better tools than the XP firewall for the
> average user as well as the advanced user. For inbound traffic, a router with
Yes, there are better tools instead of a PFW. Tools which have specific
purposes and do what they have to do. PFWs are supposed to protect the
user in an almost plug&play way. That's what they tell people. That's
what people tell each other. It is just wrong. If you want application
control get something that controls applications and prevents software
that you did not install from running at all. Once it is running you
have a comprimised machine and a comprimised machine is subject to
reformat. So, just get the tools that do what you want and not something
that does not what it promises.
> NAT and preferably a firewall, along with a software firewall controlling
> inbound and outbound traffic is about as effective an approach as the average
> user can control. With a corporate firewall you can have lots of other options,
Good that you brought up user control. The average user is completely
overwhealmed by every PFW with its millions of messages, most of them
useless (access attempt to port 12345 blocked when there is actually
nothing listening on port 12345), and in particular with its application
control questions: "Do you want to allow outbound access for
svchost.exe?" Most PFWs are very quickly in a state that there outbound
protection is close to absolutely useless even if it worked 100% safe.
The bottom line is: the user has to learn how to prevent infections. The
sooner the better. A PFW gives the impression to many people to be
invulnerable in the internet (together with an AV). A PFW lets people
ignore the sign of a malware longer because they believe they are safe.
It is like driving: twenty airbags won't make you a safer driver. All
they may do is make the beginner think driving is safe.